Electronic publishing, and the provision of access to content, has been one of the driving forces behind the explosive growth of the Internet. Two examples of such electronic publishing, and data access, include (1) Internet-based commerce listings (e.g., classified advertisements, online auctions), which allow users to publish information regarding products and services for sale, and (2) web-based e-mail (e.g., HOTMAIL™ and YAHOO! MAIL) that allow people to send electronic communications to other users.
In order to increase the richness of the presentation of information accessible, and communicated, via the Internet, a number of content descriptor and programming languages have emerged to support the authoring and presentation of content, and to provide interactivity to published content. The most prominent of the descriptor languages are the so-called descriptor formats (e.g., HypeText Markup Language (HTML), eXtensible Markup Language (XML), etc). These markup languages allow active content to be included within data to be rendered by a browser. Among the programming languages that are commonly used to provide interactivity within published content are the JAVA programming language, developed by Sun Microsystems. For example, small Java programs, commonly termed Java applets, are often referenced within published content (e.g., via a URL), and are downloaded and executed within the context of a Web browser. These Java applets can be utilized to provide interactivity and presentation richness. Similarly, an ActiveX control (authored utilizing the C++ or Java programming languages, for example) may be referenced by a web page, and downloaded for execution within the context of a Web browser.
While active content has the potential to enrich the Internet experience, it also presents a number of security problems and vulnerabilities. For example, unscrupulous and malicious users are able to include malicious content within active content of a web page. Such malicious content may, for example, take the form of a virus that infects the computer system of a user on which a web page is rendered.
Other examples of malicious active content may include a Java applet, or an ActiveX control, that harvests personal information residing on user's computer system. The threat posed by such malicious active content is particularly acute where a particular Web service receives and publishes data that may be freely authored by a user. By providing users with the ability to freely author data to be published via a Web service, the Web service is exposed to the possibility that a user may associate malicious content with the published data. While Web browsers include certain built-in safeguards to prevent malicious content from accessing personal data on a user's computer (e.g., content that originated from a specific web site (or from a specific domain) may only access cookies deposited by that web site or domain), it will be appreciated that a publishing Web service will be regarded by the browser as a trusted location, and according will allow content published by that Web service to access cookies associated with the Web service. For example, where a Web-based e-mail service deposits cookies (potentially containing confidential information) on a user's machine, content served by that Web service (e.g., a spam email) might have access to such cookies as a result of having been served from the Web service.
The combating of “malicious” active content presents significant technical challenges to the operators of web-based services. For example, a web-based e-mail service provider may be challenged to exclude malicious content from, or the disable malicious content within, e-mail communications. Similarly, the operator of a web-based commerce system may be challenged to ensure that listings, available from the commerce service provider's web site, do not contain malicious active content, or that the threat posed by the malicious content is neutralized. The technical challenges increase as the volume of communications processed by a particular web site increases.